For the curious my dnscrypt-proxy config [is in my shell-things repository](https://github.com/Mikaela/shell-things/tree/master/etc/dnscrypt-proxy) [mirror](https://gitea.blesmrt.net/mikaela/shell-things/src/branch/master/etc/dnscrypt-proxy).
* * * * *
## 2019-07-22 update
I have also started performing local DNSSEC validation by running Unbound
in front of DNSCrypt-proxy, so my queries go resolv.conf -> Unbound ->
dnscrypt-proxy -> configured resolvers. This has the advantage that if the
resolver didn't perform DNSSEC validation or lied about performing it, the
protection by DNSSEC would still be received.
The steps are simple:
1. `sudo apt install unbound`
* You should see a file `/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf`
which simply says `server:` and on another line after intending
`auto-trust-anchor-file: "/var/lib/unbound/root.key"` (the path varies
by distribution) which means it's performing DNSSEC validation with